---
layout: docs
page_title: ssh - Command
description: |-
  The "ssh" command establishes an SSH connection with the target machine using
  credentials obtained from an SSH secrets engine.
---

# ssh

The `ssh` command establishes an SSH connection with the target machine.

This command uses one of the SSH secrets engines to authenticate and
automatically establish an SSH connection to a host. This operation requires
that the SSH secrets engine is mounted and configured.

The user must have `ssh` installed locally - this command will exec out to it
with the proper commands to provide an "SSH-like" consistent experience.

## Examples

SSH using the OTP mode (requires [sshpass](https://linux.die.net/man/1/sshpass)
for full automation):

```shell-session
$ vault ssh -mode=otp -role=my-role user@1.2.3.4
```

SSH using the CA mode:

```shell-session
$ vault ssh -mode=ca -role=my-role user@1.2.3.4
```

SSH using CA mode with host key verification:

```shell-session
$ vault ssh \
    -mode=ca \
    -role=my-role \
    -host-key-mount-point=host-signer \
    -host-key-hostnames=example.com \
    user@example.com
```

For step-by-step guides and instructions for each of the available SSH
auth methods, please see the corresponding [SSH secrets
engine](/vault/docs/secrets/ssh).

## Usage

The following flags are available in addition to the [standard set of
flags](/vault/docs/commands) included on all commands.

### Output options

- `-field` `(string: "")` - Print only the field with the given name, in the format
  specified in the `-format` directive. The result will not have a trailing
  newline making it ideal for piping to other processes.

- `-format` `(string: "table")` - Print the output in the given format. Valid
  formats are "table", "json", or "yaml". This can also be specified via the
  `VAULT_FORMAT` environment variable.

### SSH options

- `-mode` `(string: "")` - Name of the authentication mode (ca, dynamic, otp)."

- `-mount-point` `(string: "ssh/")` - Mount point to the SSH secrets engine.

- `-no-exec` `(bool: false)` - Print the generated credentials, but do not
  establish a connection.

- `-role` `(string: "")` - Name of the role to use to generate the key.

- `-strict-host-key-checking` `(string: "")` - Value to use for the SSH
  configuration option "StrictHostKeyChecking". The default is ask. This can
  also be specified via the `VAULT_SSH_STRICT_HOST_KEY_CHECKING` environment
  variable.

- `-user-known-hosts-file` `(string: "~/.ssh/known_hosts")` - Value to use for
  the SSH configuration option "UserKnownHostsFile". This can also be specified
  via the `VAULT_SSH_USER_KNOWN_HOSTS_FILE` environment variable.

### CA mode options

- `-host-key-hostnames` `(string: "*")` - List of hostnames to delegate for the
  CA. The default value allows all domains and IPs. This is specified as a
  comma-separated list of values. This can also be specified via the
  `VAULT_SSH_HOST_KEY_HOSTNAMES` environment variable.

- `-host-key-mount-point` `(string: "")` - Mount point to the SSH
  secrets engine where host keys are signed. When given a value, Vault will
  generate a custom "known_hosts" file with delegation to the CA at the provided
  mount point to verify the SSH connection's host keys against the provided CA.
  By default, host keys are validated against the user's local "known_hosts"
  file. This flag forces strict key host checking and ignores a custom user
  known hosts file. This can also be specified via the
  `VAULT_SSH_HOST_KEY_MOUNT_POINT` environment variable.

- `-private-key-path` `(string: "~/.ssh/id_rsa")` - Path to the SSH private key
  to use for authentication. This must be the corresponding private key to
  `-public-key-path`.

- `-public-key-path` `(string: "~/.ssh/id_rsa.pub")` - Path to the SSH public
  key to send to Vault for signing.
